https://community.splunk.com/t5/Getting-Data-In/How-to-view-individual-hops-of-data-before-it-reaches-indexer/m-p/208737#M41120 <P>We have got "heavy forwarders" and our client has got a Splunk Heavy forwarders at their side before they send to us.<BR /> So the path of flow is </P> <P>Individual host (A) with UF =&gt; Heavy Forwarders (B) =&gt; Heavy Forwarders (C) =&gt; Indexers (D)</P> <P>The hostname is coming as (A) in our indexers which is fair.<BR /> Is there any chance to get information of (B) and (C) (i.e. their hostname, properties etc.)? , i.e. "hops" data went through.</P> <P>Cheers</P> Thu, 03 Nov 2016 14:39:35 GMT koshyk 2016-11-03T14:39:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-view-individual-hops-of-data-before-it-reaches-indexer/m-p/208737#M41120 <P>We have got "heavy forwarders" and our client has got a Splunk Heavy forwarders at their side before they send to us.<BR /> So the path of flow is </P> <P>Individual host (A) with UF =&gt; Heavy Forwarders (B) =&gt; Heavy Forwarders (C) =&gt; Indexers (D)</P> <P>The hostname is coming as (A) in our indexers which is fair.<BR /> Is there any chance to get information of (B) and (C) (i.e. their hostname, properties etc.)? , i.e. "hops" data went through.</P> <P>Cheers</P> Thu, 03 Nov 2016 14:39:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-view-individual-hops-of-data-before-it-reaches-indexer/m-p/208737#M41120 koshyk 2016-11-03T14:39:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-view-individual-hops-of-data-before-it-reaches-indexer/m-p/208738#M41121 <P>Not easy to achieve this by using available logs. I guess you can make use of metrics.log in a way because metrics.log contains connection information from/to forwarders. I do not have example of search to achieve this. </P> Sun, 06 Nov 2016 19:46:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-view-individual-hops-of-data-before-it-reaches-indexer/m-p/208738#M41121 Masa 2016-11-06T19:46:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-view-individual-hops-of-data-before-it-reaches-indexer/m-p/208739#M41122 <P>I guess, i found a field which seems very good and gives me the answer I was looking for sourcetype "splunkd" and source metrics.log</P> <PRE><CODE>12-07-2015 13:41:36.790 +0000 INFO Metrics - group=tcpin_connections, 192.128.28.8:12345:8091, connectionType=cookedSSL, sourcePort=12345, sourceHost=192.128.28.8, sourceIp=192.128.28.8, destPort=8091, kb=7.25, _tcp_Bps=239.48, _tcp_KBps=0.23, _tcp_avg_thruput=0.29, _tcp_Kprocessed=95.17, _tcp_eps=0.13, _process_time_ms=1, evt_misc_kBps=0.00, evt_raw_kBps=0.19, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, build=f3a51e4b37b2, version=6.3.1, os=Windows, arch=x64, hostname=myhost, guid=xxxxx-yyyy-42E7-9224-C9F88B90F400, fwdType=uf, ssl=true, lastIndexer=123.45.67.89:8091, ack=true </CODE></PRE> <P>The key fields looking for are:<BR /> - lastIndexer <BR /> - fwdType</P> <P>This way, we can identify the hops</P> Wed, 07 Dec 2016 14:33:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-view-individual-hops-of-data-before-it-reaches-indexer/m-p/208739#M41122 koshyk 2016-12-07T14:33:28Z